Dive Brief:
- Highly skilled, unauthorized users may be able to enable unpurchased system options in a 12-lead electrocardiogram analysis software program made by Philips, according to a cybersecurity advisory Thursday.
- The alert, issued by the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) said all versions of the Philips Holter 2010 Plus are affected. The organization rated the vulnerability as having relatively low severity.
- Philips faced another ICS-CERT call-out in May, when the DHS division flagged an issue with an electronic medical record product that could allow a hacker to compromise patient confidentiality.
Dive Insight:
While the potential for patient harm from this particular Philips cybersecurity issue is not high, it's still part of a trend of discoveries of medical device weaknesses. FDA's Patient Engagement Advisory Committee will meet Sept. 10 to discuss medical device cybersecurity, with a particular focus on how regulators and industry can best inform the public of risks.
Philips proactively reported the vulnerability to the National Cybersecurity and Communications Integration Center. The company said in a statement the issue "does not impact patient safety, patient data integrity or confidentiality or system operations," and it isn't aware of reports of utility or safety of the product being affected.
The ICS-CERT advisory was the second medtech alert of the week. A more serious warning Tuesday highlighted two hospital anesthesia machines: GE's Aestiva and Aespire devices. A cybersecurity firm discovered a medium severity vulnerability in which a hacker could remotely silence alarms, alter time and date records or change composition of aspirated gases.
NCCIC says it's a good idea for users of the Philips software disable unnecessary accounts and services.
"Philips recommends users implement role-based access controls to control physical access to the system," the advisory said. "Further controls are provided by the multiple components required to exploit the vulnerability."